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^ A model of OASIS role-based access control and its support for active security 
Jean Bacon, Ken Moody, Walt Yao 

November 2002 ACM Transactions on Information and System Security (TISSEC), Volume 

5 Issue 4 

Full text available- f j pdf(352 06 KB) Additional Information: full citation , abstract , references , citings , index 

terms 

OASIS is a role-based access control architecture for achieving secure interoperation of 
services in an open, distributed environment. The aim of OASIS is to allow autonomous 
management domains to specify their own access control policies and to interoperate 
subject to service level agreements (SLAs). Services define roles and implement formally 
specified policy to control role activation and service use; users must present the required 
credentials. In an appropriate context, in order to activat ... 

Keywords: Certificates, OASIS, RBAC, distributed systems, policy, role-based access 
control, service-level agreements 



Proposed NIST standard for role-based access control j 
David F. Ferraiolo, Ravi Sandhu, Serban Gavrila, D. Richard Kuhn, Ramaswamy Chandramouli 
August 2001 ACM T' insactions on Information and System Security (TISSEC), volume 4 

Issue 3 

Full text available* f i|pdf(417 90 KB) Additional Information: full citation , abstract , references , dtinqs . index 

'' terms 

In this article we propose a standard for role-based access control (RBAC). Although RBAC 
models have received broad support as a generalized approach to access control, and are 
well recognized for their many advantages in performing large-scale authorization 
management, no single authoritative definition of RBAC exists today. This lack of a widely 
accepted model results in uncertainty and confusion about RBAC's utility and meaning. The 
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standard proposed here seeks to resolve this situation by u ... 

Keywords: Role-based access control, access control, authorization nnanagement, security, 
standards 



TRBAC: A temporal role-based access control model 
Elisa Bertino, Piero Andrea Bonatti, Elena Ferrari 

August 2001 ACM Transactions on Information and System Security (TISSEC), volume 4 

Issue 3 

Full text available* ffl Ddf(355 35 KB) Additional Information: full citation , abstract , references , dtinas . index 
' ^ terms 

Role-based access control (RBAC) models are receiving increasing attention as a 
generalized approach to access control. Roles may be available to users at certain time 
periods, and unavailable at others. Moreover, there can be temporal dependencies among 
roles. To tackle such dynamic aspects, we introduce Temporal-RBAC (TRBAC), an extension 
of the RBAC model. TRBAC supports periodic role enabling and disabling— possibly with 
individual exceptions for particular users— and temporal dependencies ... 

Keywords: Role triggers, role-based access control, temporal constraints 



* Role-based access control on the web 

February 2001 ACM Transactions on Information and System Security (TISSEC), volume 4 

Issue 1 

Full text available: ■p pdf(331.03 KB) Additional Information: full citation , abstract, references , dtings, index 
^ ~ terms , review 

Current approaches to access control on the Web servers do not scale to enterprise-wide 
systems because they are mostly based on individual user identities. Hence we were 
motivated by the need to manage and enforce the strong and efficient RBAC access control 
technology in large-scale Web environments. To satisfy this requirement, we identify two 
different architectures for RBAC on the Web, called user-pull and server-pull. To 
demonstrate feasibility, we im ... 

Keywords: WWW security, cookies, digital certificates, role-based access control 



5 The role-based access control system of a European bank: a case study and 
discussion 

Andreas Schaad, Jonathan Moffett, Jeremy Jacob 

May 2001 Proceedings of the sixth ACM symposium on Access control models and 
technologies 

Full text available: t i|Ddf(201.08 KB) Additional Information: full citation , abstract, references , dflm. index 
'^^^^^"^ terms 

Research In the area of role-based access control has made fast progress over the last few 
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years. However, little nas been done to Identify and describe existing role-based access 
control systems within large organisations. This paper describes the access control system 
of a major European Banlc. An overview of the systems structure, its administration and 
existing control principles constraining the administration is given. In addition, we provide 
an answer to a key question - the ratio of ... 

Keywords: control principles, dual control, inheritance, least privilege, number of roles, 
role administration, roie-based access control, separation of duties 



6 A role-based access control model and reference implementation within a corporate j 
intranet 

David F. Ferraiolo, John F. Barkley, D. Richard Kuhn 

February 1999 ACM Transactions on Information and System Security (TISSEC), volume 2 

Issue 1 

Full text available- 1 1lpdff252.60 KB) Additional Information: full citation , abstract, references , dtings, index 
^ terms 

This paper describes NISTs enhanced RBAC model and our approach to designing and 
implementing RBAC features for networked Web servers. The RBAC model formalized in this 
paper is based on the properties that were first described in Ferraiolo and Kuhn [1992] and 
Ferraiolo et al. [1995], with adjustments resulting from experience gained by prototype 
implementations, market analysis, and observations made by Jansen [1988] and Hoffman 
[1996]. The Implementation of RBAC for the Web (RBAC/Web) p ... 

Keywords: RBAC, Web arrows. World Wide Web, access control, authorization 
management, role based access 



7 Team-and-role-based organizational context and access control for cooperative 
hypermedia environments 
Weigang Wang 

February 1999 Proceedings of the tenth ACM Conference on Hypertext and 

hypermedia : returning to our diverse roots: returning to our diverse 
roots 

Full text available: ^pdff2.13 MB) Additional Information: full citation , references , dtinqs . index terms 



Keywords: cooperative hypermedia, coordination, groupware, process support, role-based 
access control, workflow 



* Constraints: Specifying and enforcing constraints in role-based access control 
Jason Crampton 

June 2003 Proceedings of the eighth ACM symposium on Access control models and 
technologies 
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Full text available: pdff185^KB) Additional Information: full citation , abstract , references , index terms 

Constraints in access control in general and separation of duty constraints in particular are 
an important area of research. There are two Important Issues relating to constraints: their 
specification and their enforcement. We believe that existing separation of duty 
specification schemes are rather complicated and that the few enforcement models that 
exist are unlikely to scale well. We examine the assumptions behind existing approaches to 
separation of duty and present a combined specification ... 

Keywords: authorization constraint, enforcement context, role-based access control, 
separation of duty constraint 



9 Enterprise Role Administration: An administration concept for the enterprise role-based | 

access control model 

Axel Kern, Andreas Schaad, Jonathan l^offett 

June 2003 Proceedings of the eighth ACM symposium on Access control models and 
technologies 

Full text available: ^ pdf(206.66 KB) Additional Information: full citation , abstract , references , index terms 

Using an underlying role-based model for the administration of roles has proved itself to be 
a successful approach. This paper sets out to describe the enterprise role-based access 
control model (ERBAC) in the context of SAI^ Jupiter, a commercial enterprise security 
management software. We provide an overview of the role-based conceptual model 
underlying SAM Jupiter. Having established this basis, we describe how the model is used to 
facilitate a role-based administration approach. In particular, ... 

Keywords: SAM Jupiter, administrative role-based access control (ARBAC), automated 
identity management, enterprise role-based access control (ERBAC), enterprise roles, role- 
based access control (RBAC), scopes, security administration, security provisioning 



10 Access Control Policies and Specifications: A lightweight approach to specification and | 
analysis of role-based access control extensions 
Andreas Schaad, Jonathan D. Moffett 

June 2002 Proceedings of the seventh ACM symposium on Access control models and 
technologies 

Full text available: ^ pdff 444.67 KB) Additional Information: full citation , abstract , references , index terms 

Role-based access control is a powerful and policy-neutral concept for enforcing access 
control. Many extensions have been proposed, the most significant of which are the 
decentralised administration of role-based systems and the enforcement of constraints. 
However, the simultaneous integration of these extensions can cause conflicts in a later 
system implementation. We demonstrate how we use the Alloy language for the 
specification of a conflict-free role-based system. This specification provid ... 

Keywords: ARBAC97, alloy, separation of duties 
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■ Role-based access control and the access control matrix 
G. Saunders, M. Hitchens, V. Varadharajan 

October 2001 ACM SIGOPS Operating Systems Review, volume 35 issue 4 

Full text available: ' ^pdff888.27 KB) Additional Information: full citation , abstract , references , index terms 

The Access Matrix Is a useful model for understanding the behaviour and properties of 
access control systems. While the matrix Is rarely implemented, access control in real 
systems is usually based on access control mechanisms, such as access control lists or 
capabilities, that have clear relationships with the matrix model. In recent times a great 
deal of interest has been shown in Role Based Access Control (RBAC) models. However, the 
relationship between RBAC models and the Access Matrix is no ... 

An argument for tlie role-based access control model 
David F. Ferraiolo 

May 2001 Proceedings of the sixth ACM symposium on Access control models and 
technologies 

Full text available: ' ^pdf(171.06 KB) Additional Information: full citation , dtinos . index terms 



A model of OASIS role-based access control and its support for active security 
Walt Yao, Ken Moody, Jean Bacon 

May 2001 Proceedings of the sixth ACM symposium on Access control models and 
technologies 

Full text available: Wi pdf(220 27 KB) Additional Information: full citation , abstract , references , citings , index 
^ '' terms 

OASIS is a role-based access control architecture for achieving secure interoperation of 
services in an open, distributed environment. Services define roles and implement formally 
specified policy for role activation and service use; users must present the required 
credentials, in the specified context, in order to activate a role or invoke a service. Roles 
are activated for the duration of a session only. In addition, a role is deactivated 
immediately if any of the conditions of the membe ... 

Keywords; OASIS, RBAC, certificates, policy, role based access control, service level 
agreements 



14 Confiaurinc role-based access control to enforce mandatory and discretionary access | 
control policies 

Sylvia Osborn, Ravi Sandhu, Qamar Munawer 

May 2000 ACM Transactions on Information and System Security (TISSEC), volume 3 

Issue 2 

Full text available: p |pdf(137.62 KB) Additional Information: full citation , abstract , references , dtinps , index 

terms , review 

Access control models have traditionally included mandatory access control (or lattice- 
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based access control) and discretionary access control. Subsequently, role-based access 
control lias been introduced, along with claims that its mechanisms are general enough to 
simulate the traditional methods. In this paper we provide systematic constructions for 
various common forms of both of the traditional access control paradigms using the role- 
based access control (RBAC) models of Sandhu et al., co ... 

Keywords: discretionary access control, lattice-based access control, mandatory access 
control, role-based access control 



Role delegation in role-based access control j 
SangYeob Na, SuhHyun Cheon 

July 2000 Proceedings of the fifth ACM workshop on Role-based access control 

Full text available: ^ pdf( 105.05 KB) Additional Information: full citation , references . Index terms 



Keywords: active delegation, delegation protocol, delegation server, passive delegation, 
role delegation, role-based access control 



Supporting relationships in access control using role based access control 
John Barkley, Konstantin Beznosov, Jinny Uppal 

October 1999 Proceedings of the fourth ACM workshop on Role-based access control 

Full text available; ^ pdf(1.19 MB) Additional Information: full citation , references , dtings, index terms 



17 A framework for innplementing role-based access control using CORBA security 
service 

Konstantin Beznosov, Yi Deng 

October 1999 Proceedings of the fourth ACM workshop on Role-based access control 

Full text available: ^pdf(1.21 MB) Additional Information; full citation , references , dtinqs . index terms 



Context sensitivity in role-based access control 
Arun Kumar, Neeran Karnik, Girish Chafle 

July 2002 ACM SIGOPS Operating Systems Review, Volume 36 issue 3 

Full text available: Q pdf(886.37 KB) Additional Information: full citation , abstract , references 

This paper describes an extended role-based access control (RBAC) model, which makes 
RBAC sensitive to the context of an attempted operation. Traditional RBAC does not specify 
whether the permissions associated with a role enable access to a particular object, or to 
some subset of objects belonging to a class. We extend the model by introducing the 
notions of role context and context filters. Context filters are Boolean expressions based on 
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the context of the user attempting ... 

19 Team-based access control (TMAC): a prinnitive for applying role-based access 

controls in collaborative environments 
Roshan K. Thomas 

November 1997 Proceedings of the second ACM workshop on Role-based access control 

Full text available: ^ pdf(745.93 KB) Additional Information: full citation , references , citings , index terms 




20 RBAC for Collaborative Environments: Role-based access control for collaborative 

enterprise in peer-to-peer computing environments 
Joon S. Park, Junseok Hwang 

June 2003 Proceedings of the eighth ACM symposium on Access control models and 



Full text available: ^ pdf(324.70 KB) Additional Information: full citation , abstract , references , index terms 

In Peer-to-Peer (P2P) computing environments, each participant (peer) acts as both client 
and content provider. This satisfies the requirement that resources should be increasingly 
made available by being published to other users from a user's machine. Compared with 
services performed by the client-server model, P2P-based services have several 
advantages. However, wide-scale application of P2P computing is constrained by limitations 
associated with the especially sophisticated control mechanisms ... 

Keywords: peer-to-peer computing, role-based access control, security 
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